*
This is the Security Target (ST) associated with the latest Maintenance Release.
To view previous STs for this TOE, click here.

Product Description

The Palo Alto Networks next-generation firewalls are network firewall appliances and virtual appliances used to manage enterprise network traffic flow using function specific processing for networking, security, and management.The next-generation firewalls let the administrator specify security policies based on an accurate identification of each application seeking access to the protected network.The next-generation firewall uses packet inspection and a library of applications to distinguish between applications that have the same protocol and port, and to identify potentially malicious applications that use non-standard ports. The next-generation firewall also supports the establishment of Virtual Private Network (VPN) connections to other next-generation firewalls or third party security devices.

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the TOEwas judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 4. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 revision 4. The product, when delivered and configured as described in the guidance documentation, satisfies all of the security functional requirements stated in the Palo Alto Networks PA-200 Series, PA-500, PA-800 Series, PA-3000 Series, PA-5000 Series, PA-5200 Series, PA-7000 Series, and VM Series Next-Generation Firewall with PAN-OS v8.0.6 Security Target. The project underwent CCEVS validation team review. The evaluation was completed in April 2018. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.

Environmental Strengths

Security Audit

The TOE generates audit records of security relevant events. Generated audit records include the date and time of the event, the event type, the subject identity and the outcome of the event. For audit events resulting from the actions of identified users, the identity of the user is recorded in the generated audit record. The TOE can be configured to store audit records locally so they can be accessed by an administrator and can also be configured to export the audit records to an external audit server.

In the event the space available for storing audit records locally is exhausted, the TOE will overwrite the oldest stored audit records with new audit records as they are generated. The TOE generates an alarm and an audit record to inform the administrator before the local space to store audit data is exhausted and the oldest audit records will start to be overwritten.

The TOE allocates and releases the memory resources used for network packet objects. Both when it receives data from the network and when it transmits data to the network, it ensures that the buffers are not padded out with previously transmitted or otherwise residual information by overwriting unused parts of the buffer with 0s. The TOE thus ensures it does not inadvertently reuse data found in network traffic.

Identification and Authentication

The TOE requires all users accessing the TOE user interfaces to be successfully identified and authenticated before they can access any security management functions available in the TOE. The TOE offers network accessible (HTTP over TLS) and direct connections to the GUI for interactive administrator sessions.

The TOE supports the local (i.e., on device) definition and authentication of administrators with username, password, and role (set of privileges), which it uses to authenticate the human user and to associate that user with an authorized role. In addition, the TOE can authenticate users using X509 certificates and can be configured to lock a user out after a configurable number of unsuccessful authentication attempts.

When a user authenticates a local interactive session, no information about the authentication data (i.e., password) is echoed to the user. Passwords can be composed of any combination of upper and lower case letters, numbers, and the following special characters: !; @; #; $; %; ^; &; *; (; ); _; <; >; .; ~; '; +; ,; -; /; :; “;”; =; [; \; ]; `; {; and }. The TOE supports the use of X.509v3 certificates for IPsec and TLS authentication and also supports certificate revocation checking using Online Certificate Status Protocol (OCSP) or Certificate Revocation List (CRL). The TOE will not accept a certificate if it is unable to establish a connection in order to determine the certificate’s validity.

Security Management

The TOE provides a Graphical User Interface (GUI) to access its security management functions. Security management commands are limited to administrators and are available only after they have provided acceptable user identification and authentication data to the TOE. The TOE provides access to the GUI locally via direct RJ-45 Ethernet cable connection and remotely using an HTTPS client.

Protection of the TSF

The TOE implements a number of features designed to protect itself to ensure the reliability and integrity of its security features.

It protects sensitive data such as stored passwords and cryptographic keys so that they are not accessible even by an administrator. It also provides its own timing mechanism to ensure that reliable time information is available (e.g., for audit accountability).

The TOE includes functions to perform self-tests so that it might detect when it is failing. It also includes mechanisms so that the TOE itself can be updated while ensuring that the updates will not introduce malicious or other unexpected changes in the TOE.

TOE Access

The TOE can be configured to display an administrator-defined advisory banner before establishing an administrative user session and to terminate both local and remote interactive sessions after a configurable period of inactivity. It also provides users the capability to terminate their own interactive sessions.

Trusted Path/Channels

The TOE protects interactive communication with remote administrators using IPsec or HTTP over TLS. IPsec and TLS ensure both integrity and disclosure protection.

The TOE protects communication with external IT entities as follows:

·With the User Identification Agent (UIA) and update server using TLS

·With an external audit server using IPsec or TLS

·With VPN gateways/peers using IPsec.

Stateful Traffic Filtering

The TOE implements a stateful traffic filter firewall for layers 3 and 4 (IP and TCP/UDP) network traffic, optimized through the use of stateful packet inspection.

An administrator can configure the TOE to control the type of information that is allowed to pass through the TOE. The administrator groups interfaces into security zones. Each zone identifies one or more interfaces on the TOE. Separate zones must be created for each type of interface (Layer 2, Layer 3, or virtual wire), and each interface must be assigned to a zone before it can process traffic. Security policies provide the firewall rule sets that specify whether to block or allow network connections, based on the source and destination zones, and addresses, and the application service (such as UDP port 67 or TCP port 80). Security policy rules are processed in sequence, applying the first rule that matches the incoming traffic.

Packet Filtering

The TOE provides packet filtering and secure IPsec tunneling. The tunnels can be established between two trusted VPN peers as well as between remote VPN clients and the TOE. An administrator can configure security policies that determine whether to block, allow, or log a session based on traffic attributes such as the source and destination security zone, the source and destination IP address, the application, user, and the service.